17.13.Â Encrypting Swap

Written by ChristianBrueffer.

Like the encryption of disk partitions, encryption of swap
space is used to protect sensitive information. Consider an
application that deals with passwords. As long as these
passwords stay in physical memory, they are not written to disk
and will be cleared after a reboot. However, if FreeBSD starts
swapping out memory pages to free space, the passwords may be
written to the disk unencrypted. Encrypting swap space can be a
solution for this scenario.

This section demonstrates how to configure an encrypted
swap partition using gbde(8) or geli(8) encryption.
It assumes that
/dev/ada0s1b is the swap partition.

17.13.1.Â Configuring Encrypted Swap

Swap partitions are not encrypted by default and should be
cleared of any sensitive data before continuing. To overwrite
the current swap partition with random garbage, execute the
following command:

#dd if=/dev/random of=/dev/ada0s1b bs=1m

To encrypt the swap partition using gbde(8), add the
.bde suffix to the swap line in
/etc/fstab:

By default, geli(8) uses the AES
algorithm with a key length of 128 bits. Normally the default
settings will suffice. If desired, these defaults can be
altered in the options field in
/etc/fstab. The possible flags
are:

aalgo

Data integrity verification algorithm used to ensure
that the encrypted data has not been tampered with. See
geli(8) for a list of supported algorithms.

ealgo

Encryption algorithm used to protect the data. See
geli(8) for a list of supported algorithms.

keylen

The length of the key used for the encryption
algorithm. See geli(8) for the key lengths that
are supported by each encryption algorithm.

sectorsize

The size of the blocks data is broken into before
it is encrypted. Larger sector sizes increase
performance at the cost of higher storage
overhead. The recommended size is 4096 bytes.

This example configures an encrypted swap partition using
the Blowfish algorithm with a key length of 128 bits and a
sectorsize of 4 kilobytes: